Microsoft Edge will be safer than Internet Explorer

Microsoft decided to develop an all-new web-browser, Microsoft Edge, for the launch of Windows 10. Little by little, Microsoft is revealing additional information about Microsoft Edge, its upcoming browser replacement for Internet Explorer. Not only does Microsoft Edge have a new look and feel and a new rendering engine — it also has a new take on security, web standards and legacy code.

On its Microsoft Edge Dev Blog the Edge Dev team has been busy posting information about what the browser will have — and what it will leave out.

The company stated:

“This fundamentally changes the process model, so that both the outer manager process, and the assorted content processes, all live within app container sandboxes. This provides the user and the platform with the confidence provided by other Windows store apps.”

Microsoft Edge will also run as a 64-bit program every time it is used by a 64-bit processor, and not just via a default setting. The company says this move will allow for Windows ASLR (Address Space Layout Randomization) to be stronger: “Attackers want to inject malicious code into your browser process via a coding bug, and then execute their malicious code. ASLR makes that harder by randomizing the memory layout of the process, making it hard for attackers to hit precise memory locations to achieve their ends. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger, making it much more difficult for attackers to find the sensitive memory components they need.”

Bye Bye ActiveX and BHOs

The biggest change for developers coming with Microsoft Edge is that it will get rid of legacy browser technologies including ActiveX and Browser Helper Objects (BHO). Both of these technologies go back to the 1990s and the heyday of Internet Explorer.

ActiveX was introduced back in 1996 as a way to embed native Windows technology into the web browser. This was the way other web technologies such as Flash, Silverlight, Java and PDF plugins would typically get integrated into the browser.

ActiveX is going away because as Microsoft says, the need for those sorts of controls “has been significantly reduced by HTML5-era capabilities, which also produces interoperable code across browsers.” And just because ActiveX is going away doesn’t mean Flash is dead. No, Microsoft will be building Flash into the browser — much as Chrome does now. Microsoft Edge will also support native PDF rendering.

Microsoft is also getting rid of its old extension model, the Browser Helper Objects (BHO). BHOs were most commonly used to build third-party search toolbars for stuff you never wanted or needed. This means that with any luck, you will never again see an Ask.com toolbar in a Microsoft browser.

Microsoft is still going to offer a way for developers to build extensions — following a similar HTML/JavaScript model that has been adopted by Mozilla, Google, Apple and Opera. Microsoft says it will enable that model later this summer so that developers can build their add-ons for the new browser.

Getting rid of other cruft

Microsoft also says it has removed 220,000 unique lines of code (LoC) and more than 300 APIs.

At the same time, it is adding a ton of stuff to the new browser. More than 300,000 LoC have been added, as well as 49 new major features and 4200 browser interoperability features.

Microsoft is also getting rid vendor prefixes for Edge. This means that in order for developers to take advantage of special HTML5 or CSS features, they won’t have to use a specific Edge prefix. Instead, they can just code to web standards.

This is a move in the right direction for Microsoft and it mirrors some of the recent hires the company has made in the area of open web evangelism and web standards.

Embracing a secure, sandboxed model

On Monday, the Edge team blogged about some of the security features within Microsoft Edge. Microsoft lays out how it is building its new browser to better be able to stand up to web threats, as well as how its update model will be better than before.

Getting rid of ActiveX and BHOs will actually make the browser more secure. For years, third-parties have exploited the binary aspect of ActiveX to execute nasty code that can take down the browser or the underlying operating system.

By shifting to HTML/JavaScipt-based extensions, Microsoft is limiting the access extensions will have, as well as some of the control they could potentially take system.

The biggest feature for security, however, might just be in how Microsoft is treating Edge. Microsoft Edge is being released as a Universal Windows App. This means that it will live in a sandboxed world. Microsoft says this means that “every Internet page that Microsoft Edge visits will be rendered inside an app container, the latest and most secure client-side app sandbox in Windows.”

It also means that as a Universal Windows App, users can get updates from the Microsoft Store — as opposed to updates being tied to Windows Update.

Decoupling browser updates from the rest of the OS is great, especially for keeping stuff up-to-date. It also opens up the door for Microsoft to do the kind of automatic updates that Chrome and Firefox do now.

Microsoft Edge will debut alongside Windows 10 when it launches later this summer.